ELK配置和使用说明
Elastic Stack 简介与安装
一、简介
Elastic Stack 技术栈,简称ELK。包含的核心组件是Beats(Filebeat、Metricbeat等)、Logstash、Elasticsearch、Kibana。
官网:https://www.elastic.co/cn/
本次使用的组件版本号:
- filebeat-7.8.0-linux-x86_64
- logstash-7.8.0
- elasticsearch-7.8.0-x86_64
注:
目前Elastic Stack所有组件,官网都是建议使用同一版本号的,目前使用的都是
7.8.0。若已对ELK有基础的了解,可以直接查看第二章——安装。
1、部署架构图
2、流程图
3、Filebeat
Filebeat是日志收集器。用于监控、收集服务器日志文件。主要有以下三个重要概念:输入,收集器和输出。
3.1 输入
输入可以指定:file, stdin, redis, udp, docker, tcp, syslog。
5G小基站采集日志指定的输入为file,直接读取日志文件。
3.2 收集器
1)对于每个单独的文件,会启动一个收集器按行读取文件,并发送到输出端。
2)收集器负责管理文件描述符,即使一个文件被重命名了,它仍会继续读该文件。
3)当日志内容一段时间没有变化时,收集器会关闭。
3.3 输出
输出可以指定:elasticsearch, logstash, kafka, redis, file, console, cloud。
5G小基站日志的输出为logstash,采集的日志会平均发往多个logstash进行过滤。
3.4 消息队列
Filebeat使用一个内部队列来暂时存储消息,有内存队列和磁盘队列两种形式。消息队列会等待输出的应答,如果队列满了,就不再接收新消息。
5G小基站采集日志使用内存队列。
3.5 Filebeat工作原理
Filebeat由两个主要组件组成:prospector 和 harvester。
-
harvester
- 负责读取单个文件的内容。
- 如果文件在读取时被删除或重命名,Filebeat将继续读取文件。
-
prospector
- prospector 负责管理harvester并找到所有要读取的文件来源。
- 如果输入类型为日志,则查找器将查找路径匹配的所有文件,并为每个文件启动一个harvester。
- Filebeat目前支持两种prospector类型:log和stdin。
-
Filebeat如何保持文件的状态
- Filebeat 保存每个文件的状态并经常将状态刷新到磁盘上的注册文件中。
- 该状态用于记住harvester正在读取的最后偏移量,并确保发送所有日志行。
- 如果输出(例如Elasticsearch或Logstash)无法访问,Filebeat会跟踪最后发送的行,并在输出再次可用
时继续读取文件。 - 在Filebeat运行时,每个prospector内存中也会保存的文件状态信息,当重新启动Filebeat时,将使用注册
文件的数据来重建文件状态,Filebeat将每个harvester在从保存的最后偏移量继续读取。 - 文件状态记录在data/registry文件中。
3.6 配置说明
输入、采集规则、输出均可在filebeat.yml中配置,配置文件说明如下:
#======================= Filebeat inputs =============================
filebeat.inputs:
- type: log #输入类型
enabled: true #启用或禁用这段配置
paths: #日志文件名正则匹配
- ${ACSDIR}/logs/*.log
- ${ACSDIR}/logs/*.log.20[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
encoding: gbk #日志编码
include_lines: ['WARN -', 'ERROR-', 'INFO -', 'DEBUG-'] #采集包含指定内容的行
exclude_files: ['\.swp$'] #需要排除日志文件的正则表达
tags: ["init-serice"] #标识
- type: log #同上
enabled: true
paths:
- ${ACSDIR}/logs/record/*.[0-9]*.log
- ${ACSDIR}/logs/record/*.[0-9]*.log.20[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]
encoding: gbk
exclude_files: ['\.swp$']
tags: ["init_service_record"]
#======================= Filebeat modules===========================
filebeat.config.modules: #filebeat内部模块的配置
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#========================= Outputs ================================
#----------------------------- Logstash output --------------------------------
output.logstash: #指定Logstash作为输出
enabled: false #启用或禁用
hosts: ["10.17.0.8:5044","10.17.0.6:5044"] #ip、port
#loadbalance: true #负载均衡
#------------------------------- Redis output ---------------------------------
output.redis: #指定redis作为输出
enabled: true #启用或禁用
hosts: ["10.17.0.6:7001"] #ip、port
#=========================Xpack Monitoring =========================
xpack.monitoring: #监控配置
enabled: true #启用或禁用
elasticsearch:
hosts: ["10.17.0.6:9200"] #ip、port
username: beats_system
password: beatspassword
注:以上配置是列举的一些常用配置,并不是项目中使用的实际配置。
4、Logstash
Logstash作为日志转发与过滤模块,主要由输入,过滤器和输出三部分组成。
4.1 输入
输入可以指定file, syslog, redis, beats,从输入采集消息送至过滤器。支持的输入
5G小基站日志收集过程中Logstash指定的输入为Filebeat。
4.2 过滤器
过滤器使Logstash可以对消息进行各式各样的处理,功能非常丰富,但是指定了过多过滤条件的话,CPU使用率也有直线上升,所以日记格式在定义的时间尽量统一简单,这样可以最大限度减少过滤处理逻辑。
Logstash过滤器由几十个插件组成,详细信息可以查看链接https://www.elastic.co/guide/en/logstash/current/filter-plugins.html。
4.3 输出
发送过滤后的消息,输出可以指定为file, elasticsearch等。
5G小基站日志采集过程中Logstash指定的输出为Elasticsearch,消息会被送往后者处进行存储,并为用户提供搜索功能。
4.4 配置文件说明
输入、过滤规则、输出均可在app-dashboard.conf中进行配置,配置文件说明如下:
input {
beats {
port => "5044"
client_inactivity_timeout => 36000
}
}
filter {
if "init_service" in [tags] {
grok {
match => {
"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] -- \[%{DATA:level}\] -- \[%{NOTSPACE:class}\] -- %{GREEDYDATA:message}"
}
overwrite => ["message"]
}
}
else if "init_service_record" in [tags] {
grok {
match => {
"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] -- \[%{DATA:level}\] -- \[%{DATA:recordtype}\] -- %{GREEDYDATA:message}"
}
overwrite => ["message"]
}
json {
source => "message"
target => "jsoncontent"
}
}
}
output {
if "init_service" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
index => "app_run_access-%{+YYYY.MM.dd}"
}
}
if "init_service_record" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
index => "app_record_access-%{+YYYY.MM.dd}"
}
}
elasticsearch {
hosts => ["10.17.0.8:9200"]
index => "app_default_access-%{+YYYY.MM.dd}"
}
}
注意:
grok插件使用的是正则表达式,具体含义可以参见附录
grok-patterns
5、Elasticsearch
Elasticsearch是一个分布式的搜索和分析引擎,主要用于检索与分析日志。
Elasticsearch的发展是非常快速的,所以在ES5.0之前,ELK的各个版本都不统一,出现了版本号混乱的状态,所以
从5.0开始,所有Elastic Stack中的项目全部统一版本号。目前使用版本是7.8.0
5.1 基本概念
1)节点(node):一个elasticsearch实例,通过指定集群名可以加入到特定的集群中。
2)集群(cluster):节点的集合。
3)文档(document):数据的基本单元,格式为JSON。
4)索引(index):文档的集合,通过创建不同的索引可以区分不同种类的文档。
5)映射(mapping):决定一个文档(ducument)的组成,比如规定某字段的类型为文本或者数字。映射可以自动生成,但是手动指定可以减轻索引过程的压力,对于不需要进行全文搜索的字段,可以直接指定为keyword类型,这样该字段就不需要进行分词。
6)分片(shard):一个索引内的数据可以分成多个分片存储,集群方式部署时,多个分片会存在不同的主机上。默认情况下一个索引会创建5个分片。
副本(replica):分片的副本。默认情况下每个分片有一个副本。
5.2 节点类型
1)主节点备选节点(master eligible node):在一个集群中,主节点主要做一些轻量级的操作,比如创建和删除索引、管理新节点的加入和分片的分布。而主节点备选节点就是有资格成为主节点的节点,系统会在启动时从主节点备选节点中选举出主节点。如果主机点停止工作了,会从主节点备选节点中重新选举一个主节点。
2)数据节点(data node):数据节点是存储索引分片的节点,主要对文档进行增删改查等操作。数据节点对IO、内存、CPU要求较高。
3)预处理节点(ingest node):进行预处理相关操作的,小集群环境下一般不用。
4)仅协调节点(coordination):主要功能为处理路由请求、处理搜索聚合、分发批量索引请求。小集群环境下一般不用。
6、Kibana
Kibana是一个开源的分析与可视化平台,设计出来用于和Elasticsearch一起使用的。可以用kibana搜索、查看、交互存放在Elasticsearch索引里的数据,使用各种不同的图表、表格、地图等,kibana能够很轻易地展示高级数据分析与可视化。
二、安装
1 Elasticsearch
国内镜像库:https://mirrors.huaweicloud.com/elasticsearch/
注:请确保这台主机剩余足够的磁盘空间,磁盘空间占用如果到85%以上可能会有问题。
1)新建账户elasticsearch,必须使用此用户名
2)配置java环境,要求java8
3)解压安装包
tar -xvf elasticsearch-7.8.0.tar.gz
4)修改系统配置(root权限)
当启动elasticsearch时候遇到nofile、nproc、jvm等报错,需要修改下面系统配置。
echo "elasticsearch - nofile 65536" >> /etc/security/limits.conf
echo "elasticsearch - nproc 4096" >> /etc/security/limits.conf
echo "vm.max_map_count=262144" >> /etc/sysctl.conf
sysctl -w vm.max_map_count=262144
swapoff -a
5)修改Elasticsearch配置
(1)、config/elasticsearch.yml(文件最下面,修改蓝色部分)
vim config/elasticsearch.yml
network: 10.17.0.8
node.name: 10.17.0.8
discovery.zen.ping.unicast.hosts:
10.1.62.51 (master节点ip,若只有一个Elasticsearch结点,删除此配置)
network设置ip地址,任意网络均可访问可以设置为
0.0.0.0
(2)、config/jvm.options 配置
vim conf/jvm.options
-Xms128m #根据自己机器情况修改
-Xmx128m
-Xms8g 建议为物理内存的1/3到1/2,不超过30G
-Xmx8g 与-Xms保持一致
在Elasticsearch中如果,network.host不是localhost或者127.0.0.1的话,就会认为是生产环境,
会对环境的要求比较高,我们的测试环境不一定能够满足,一般情况下需要修改这2处配
6)启动 (进入elasticsearch-7.8.0目录下)
./bin/elasticsearch -d -p pid (pid文件中记录有进程id,用于关闭elasticsearch)
-d 后台启动
2 kibana
国内镜像库:https://mirrors.huaweicloud.com/kibana/
1)解压安装包
tar -xvf kibana-7.8.0-linux-x86_64.tar.gz
2)后台启动(进入kibana-7.8.0-linux-x86_64目录下)
nohup ./bin/kibana >/dev/null 2>&1 &
3 Logstash
国内镜像库:https://mirrors.huaweicloud.com/logstash/
1)解压安装包
tar -xvf logstash-7.8.0.tar.gz
2)配置文件修改
vim config/app-dashboard.conf
# 输入
input {
# 在filebeat输入
beats {
port => "5044"
client_inactivity_timeout => 36000
}
# 在redis输入
redis {
data_type => "list" #数据类型,一般不需要修改
key => "filebeat" #键值,filebeat插入redis时建立的key,默认值为filebeat
host => "10.17.0.6" #redis服务器 ip
port => 7001 #redis服务器port
}
}
#过滤
filter {
if "init_service_run" in [tags] {
grok {
match => {
"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] -- \[%{DATA:level}\] -- \[%{NOTSPACE:zlass}\] -- %{GREEDYDATA:message}"
}
overwrite => ["message"]
}
}
else if "init_service_record" in [tags] {
grok {
match => {
"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] -- \[%{DATA:level}\] -- \[%{DATA:recordtype}\] -- %{GREEDYDATA:message}"
}
overwrite => ["message"]
}
json {
source => "message"
target => "jsoncontent"
}
}
}
date{
match=>["timestamp","YYYY-MM-dd HH:mm:ss.SSS"]
target=>"logdate"
}
ruby{
code=>"
event.set('unix_ms_time',(event.get('logdate').to_f.round(3)*1000).to_i)
"
}
# 输出
output {
if "init_service_run" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
index => "app_run_access-%{+YYYY.MM.dd}"
}
}
if "init_service_record" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
index => "app_record_access-%{+YYYY.MM.dd}"
}
}
}
备注:如果Filebeat和Logstash中间加了一层redis,那么上面的在beats输入的配置就不需要了。
3)后台启动(进入 logstash-7.8.0目录下)
nohup ./bin/logstash -f config/app-dashboard.conf > /dev/null 2>&1 &
4 Filebeat
国内镜像库:https://mirrors.huaweicloud.com/filebeat/
1)解压安装包
tar -xvf filebeat-7.8.0-linux-x86_64.tar.gz
2)配置文件修改
vim filebeat-app.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /usr/local/beats/logs/*.log
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
tags: ["init_service"]
- type: log
enabled: true
paths:
- /usr/local/beats/logs/record/*.log
tags: ["init_service_record"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
output.logstash:
hosts: ["10.17.0.8:5044"]
#loadbalance: true # 负载均衡,若配置了多个logstash,设置为true
#------------------------------- Redis output(可选) ---------------------------------
output.redis:
enabled: false
hosts: ["10.17.0.6:17001"]
使用输出到Redis的话,就不需要输出到logstash的配置了
3)后台启动(进入filebeat-7.8.0-linux-x86_64目录下)
nohup ./filebeat -e -c filebeat-app.yml >/dev/null 2>&1 &
5 Redis(可选)
若安装完上述四个组件后发现导入日志的速率没有达到预期,可以在filebeat和logstash之间安装一层Redis。安装了Redis后,日志的导入速率有明显提升。
确定安装Redis后,需要修改Logstash和Filebeat的相应配置,具体操作可参考Logstash和FIlebeat的安装部分。
6 elasticsearch-head(可选)
由于ES官方并没有为ES提供界面管理工具,仅仅是提供了后台的服务。elasticsearch-head是一个为ES开发的一个页
面客户端工具,其源码托管于GitHub,地址为:https://github.com/mobz/elasticsearch-head
head提供了4种安装方式:
源码安装,通过npm run start启动(不推荐)
通过docker安装(推荐)
通过chrome插件安装(推荐)
通过ES的plugin方式安装(不推荐)
通过docker安装
#拉取镜像
docker pull mobz/elasticsearch-head:5
#创建容器
docker create --name elasticsearch-head -p 9100:9100 mobz/elasticsearch-head:5
#启动容器
docker start elasticsearch-head
通过浏览器进行访问:http://10.17.0.8:9100
注意:
由于前后端分离开发,所以会存在跨域问题,需要在服务端做CORS的配置,如下:
vim elasticsearch.yml
http.cors.enabled: true http.cors.allow-origin: “*”
通过chrome插件的方式安装不存在该问题。
chrome插件的方式安装
打开chrome的应用商店,即可安装https://chrome.google.com/webstore/detail/elasticsearch-head/ffmkiejjmecolpfloofpjologoblkegm
建议:推荐使用chrome插件的方式安装,如果网络环境不允许,就采用其它方式安装。
三、后续操作
1、Kibana建立索引映射
在数据采集完成,存到ES后。如果我们要通过Kibana来展示,那么就要在Kibana上创建索引映射,否则Kibana是不会把所有显示出来的。所有需要我们去建立这个映射。
1)依次找到Stack Management > Index patterns > Create index pattern
2)在红框中输入app_default_access-*,若有匹配的索引,点击“下一步”继续;若没有,则表示还没有改日志。可以在elasticsearch-head.
3)在这一步中选择@timestamp或者logdate,然后点击“创建索引模式”,创建成功,如下图所示
注意:
1、使用
@timestamp这个时间是Elasticsearch服务创建的,如果没有做时间同步,可能会和日志的实际打印时间有偏差。2、如果想使用日志的真正打印时间,可以选择
logdate这个时间,这个时间是通过日记格式的打印时间映射转换过来的。如果索引没有这个这个时间的话,默认是没有的。
3)创建成功后记得对字段进行一次刷新,否则有些字段会显示告警
5)依次进入Kibnana > Discover 模块里面就可以选择查看我们对于索引的日志了
四、索引生命周期管理(ILM)
在Elasticsearch 6.6之前,管理索引一般使用时间策略(定时器)对索引关闭,合并,删除等管理。时间策略工具一般使用官方的elasticsearch-curator或者自己通过Elasticsearch提供的API进行定时调用操作。Elasticsearch 6.6之后,官方就引入了索引的生命周期管理,就不在推荐使用时间策略来管理了,更多的是推荐我们使用生命周期管理策略来管理索引。
1、生命周期策略
热阶段(Hot phase)
此阶段是必需的。主要处理时序数据的实时写入
温阶段(Warm phase)
可选的,可以用来查询,但是不再写入,不会再有数据写入。此时可以将分片分配给性能较低的硬件。此阶段为了加快搜索速度,可以减少分片的数量并强制合并。
冷阶段(Cold phase)
可选的,索引不再会有更新操作,查询索引的频率相比温阶段更降低了,因此可以在性能低得多的硬件上分配分片。由于查询速度较慢,因此可以减少副本数。此阶段可以选择性的对索引进行冻结,冻结后的索引在集群上开销会占用很小,但是查询的效率也会降低。
删除阶段(Delete phase)
可选的,不再需要索引。数据将被删除。
2、将索引加入到生命周期中管理步骤
1)创建索引模版
操作步骤:【Index Management】-【Index Templates】-【Create a template】
索引模版创建示意图,在创建的时候,可以直接拷贝原有的索引模版进行修改。
上图创建索引模版,主要是配置索引模版名称(name),会适配到的索引(Index patterns ),索引设置(Index settings),索引字段的映射(Mappings)等信息,按照提示完成即可。
可以多个索引共用一个索引模版。将索引加入到索引模版管理以后,采集到数据只要索引适配到索引模版,那么该索引的数据格式就会按照索引模版定义好的格式来生成了。
完整的模版示例见附录3,模版设置
2)创建生命周期策略(ILM)
生命周期策略是用来管理对应索引的生命周期的。索引一般是使用索引模版来管理。索引在生命周期模版中,都是将索引版本添加在生命周期策略中,这样就可以对一类索引进行管理了。
操作步骤:【Index Lifecycle Policies】-【Create policy】
上图展示ILM创建入口
上图展示的是创建ILM每个周期的具体参数。比如
Hot phase,Warm phase,Cold phase,Delete phase会触发什么事。该设置只有Hot phase是必须的。Maximum index size:如果一个index的大小超过50GB,那么自动rollover
Maximum documents:如果一个index的文档数超过多少个(建议10000),那么也会自动rollover
Maximum age:如果一个index日期已在30天前创建索引后,那么自动rollover。
其中任何一个条件满足时都会触发索引的归档操作
下面是一段模版设置代码
PUT _ilm/policy/自定义策略
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_age": "30d",
"max_size": "50gb",
"max_docs": 10000
},
"set_priority": {
"priority": 100
}
}
},
"delete": {
"min_age": "90d",
"actions": {
"delete": {}
}
}
}
}
}
上述hot阶段通过max_age配置了30d,意思是索引从创建至少需要经历30天的时间才会被移入到warm阶段,另一个delete阶段min_age配置了90d,意思是索引在创建后的90天会被删除;通常情况下warm、cold、delete的起始时间是从索引创建开始算起的,但是如果配置了hot,那么后面phrase配置的时间应该大于rollover的时间。
完整的模版示例见
附录3,模版设置
3)将来索引模版增加到生命周期策略中
操作步骤:【Index Lifecycle Policies】-【Actions】-【Add policy to index template】
上图就将来索引模版添加在ILM中,选择
Add policy to index template后选择对应的模版即可。
上图展示的是索引模版被加入ILM管理后,索引可以在通过对应生命周期状态和对应的IML查询出来。
需要注意的是,旧的索引不会被加入到生命周期管理。
所谓旧的索引就指,我们之前没有建立生命周期策略,或者没有加入到生命周期策略中的索引。
上图展示的是哪些索引模版、索引纳入了ILM管理。
上图展示的是被纳入了ILM管理,elasticsearch-head在索引会展示的生命周期信息。
五、附录
1、grok-patterns
USERNAME [a-zA-Z0-9._-]+
USER %{USERNAME}
INT (?:[+-]?(?:[0-9]+))
BASE10NUM (?[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+)))
NUMBER (?:%{BASE10NUM})
BASE16NUM (?(?"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``))
UUID [A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}
# Networking
MAC (?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})
CISCOMAC (?:(?:[A-Fa-f0-9]{4}\.){2}[A-Fa-f0-9]{4})
WINDOWSMAC (?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})
COMMONMAC (?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})
IPV6 ((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?
IPV4 (?/(?>[\w_%!$@:.,-]+|\\.)*)+
TTY (?:/dev/(pts|tty([pq])?)(\w+)?/?(?:[0-9]+))
WINPATH (?>[A-Za-z]+:|\\)(?:\\[^\\?*]*)+
URIPROTO [A-Za-z]+(\+[A-Za-z+]+)?
URIHOST %{IPORHOST}(?::%{POSINT:port})?
# uripath comes loosely from RFC1738, but mostly from what Firefox
# doesn't turn into %XX
URIPATH (?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\-]*)+
#URIPARAM \?(?:[A-Za-z0-9]+(?:=(?:[^&]*))?(?:&(?:[A-Za-z0-9]+(?:=(?:[^&]*))?)?)*)?
URIPARAM \?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\-\[\]]*
URIPATHPARAM %{URIPATH}(?:%{URIPARAM})?
URI %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
# Months: January, Feb, 3, 03, 12, December
MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b
MONTHNUM (?:0?[1-9]|1[0-2])
MONTHNUM2 (?:0[1-9]|1[0-2])
MONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
# Days: Monday, Tue, Thu, etc...
DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)
# Years?
YEAR (?>\d\d){1,2}
HOUR (?:2[0123]|[01]?[0-9])
MINUTE (?:[0-5][0-9])
# '60' is a leap second in most time standards and thus is valid.
SECOND (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)
TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
# datestamp is YYYY/MM/DD-HH:MM:SS.UUUU (or something like it)
DATE_US %{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}
DATE_EU %{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}
ISO8601_TIMEZONE (?:Z|[+-]%{HOUR}(?::?%{MINUTE}))
ISO8601_SECOND (?:%{SECOND}|60)
TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
DATE %{DATE_US}|%{DATE_EU}
DATESTAMP %{DATE}[- ]%{TIME}
TZ (?:[PMCE][SD]T|UTC)
DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}
DATESTAMP_RFC2822 %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}
DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}
DATESTAMP_EVENTLOG %{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}
# Syslog Dates: Month Day HH:MM:SS
SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
PROG (?:[\w._/%-]+)
SYSLOGPROG %{PROG:program}(?:\[%{POSINT:pid}\])?
SYSLOGHOST %{IPORHOST}
SYSLOGFACILITY <%{NONNEGINT:facility}.%{NONNEGINT:priority}>
HTTPDATE %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}
# Shortcuts
QS %{QUOTEDSTRING}
# Log formats
SYSLOGBASE %{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
COMMONAPACHELOG %{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
COMBINEDAPACHELOG %{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}
# Log Levels
LOGLEVEL ([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)
2、目前环境使用到的配置
filebeat-nginx配置
filebeat.inputs:
name: "init_service_nginx"
# 生命周期策略
setup.ilm.enabled: true
setup.ilm.rollover_alias: "init_service_nginx"
setup.ilm.pattern: "000001"
# ES模版配置
setup.template.enabled: true
setup.template.name: "init_service_nginx"
setup.template.pattern: "init_service_nginx-*"
setup.template.settings:
index.number_of_shards: 2
# modules配置
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
# 输出配置
output.elasticsearch:
hosts: ["10.0.0.184:30111","10.17.0.8:9200"]
需要开启modules,同时配置了ILM模版
filebeat配置-初始化模块
filebeat.inputs:
# 系统运行日志
- type: log
enabled: true
paths:
- /var/smallcell/log-docker/*.log
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
tags: ["service_run"]
#=====================================init_service_record索引 start ===================================
# eureka操作日志
- type: log
enabled: true
paths:
- /var/smallcell/log-docker/records/eureka-service_eureka_*.log
tags: ["init_service_record"]
# FTP操作日志
- type: log
enabled: true
paths:
- /var/smallcell/log-docker/records/ftp-service_ftp_*.log
tags: ["init_service_record"]
# init-device操作日志
- type: log
enabled: true
paths:
- /var/smallcell/log-docker/records/init-service_init-device_*.log
tags: ["init_service_record"]
# init-operation操作日志
- type: log
enabled: true
paths:
- /var/smallcell/log-docker/records/init-service_init-operation_*.log
tags: ["init_service_record"]
#=====================================init_service_record索引 end ===================================
# 南向接口日志
- type: log
enabled: true
paths:
- /var/smallcell/log-docker/records/init-communication_south_*.log
tags: ["init_communication_south_record"]
#- type: log
# enabled: true
# paths:
# - /var/log/nginx/*.log
# tags: ["init_service_nginx"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
output.logstash:
hosts: ["10.17.0.8:5044"]#如果logstash是集群,在这里写入每个logstash集群地址,number_of_shards有多少个集群就写多少个
filebeat配置-统一网管
filebeat.inputs:
# 系统运行日志
- type: log
enabled: true
paths:
- /var/acs/log-docker/*.log
multiline.pattern: '^\['
multiline.negate: true
multiline.match: after
tags: ["service_run"]
# 设备上报--网元事件日志
- type: log
enabled: true
paths:
- /var/acs/log-docker/records/*_device-event_communication-host.*.log
tags: ["acs_communication_event_record"]
# 设备上报--网元心跳日志
- type: log
enabled: true
paths:
- /var/acs/log-docker/records/*_device-heartbeat_communication-host.*.log
tags: ["acs_communication_heartbeat_record"]
# 操作日志--统一网管操作日志
- type: log
enabled: true
paths:
- /var/acs/log-docker/records/acs-management_acs-operation_*.log
tags: ["acs_management_record"]
# 操作日志-统一网管安全日志
- type: log
enabled: true
paths:
- /var/acs/log-docker/records/acs-management_security_*.log
tags: ["acs_management_security_record"]
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 1
output.logstash:
hosts: ["10.17.0.8:5044"]
Logstash配置
input {
beats {
port => "5044"
client_inactivity_timeout => 36000
}
}
filter {
if "service_run" in [tags] {
grok {
match => {
"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] -- \[%{NOTSPACE:service}\] -- \[%{DATA:level}\] -- \[%{NOTSPACE:zlass}\] -- %{GREEDYDATA:message}"
}
overwrite => ["message"]
}
}
else if "init_service_record" in [tags] or "acs_communication_event_record" in [tags] or "acs_communication_heartbeat_record" in [tags] or "acs_management_record" in [tags] or "acs_management_security_record" in [tags] or "init_communication_south_record" in [tags] {
grok {
match => {
"message" => "\[%{TIMESTAMP_ISO8601:timestamp}\] -- \[%{DATA:level}\] -- \[%{DATA:recordtype}\] -- %{GREEDYDATA:message}"
}
overwrite => ["message"]
}
json {
source => "message"
target => "jsoncontent"
}
}
date{
match=>["timestamp","YYYY-MM-dd HH:mm:ss.SSS"]
target=>"logdate"
}
ruby{
code=>"
event.set('unix_ms_time',(event.get('logdate').to_f.round(3)*1000).to_i)
"
}
}
output {
if "service_run" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
ilm_rollover_alias => "service_run_access"
ilm_pattern => "000001"
ilm_policy => "5G-bs-ilm-policy"
}
elasticsearch {
hosts => ["10.0.0.184:30111"]
index => "service_run_access-%{+YYYY.MM.dd}"
}
}
if "init_service_record" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
ilm_rollover_alias => "init_service_record_access"
ilm_pattern => "000001"
ilm_policy => "5G-bs-ilm-policy"
}
elasticsearch {
hosts => ["10.0.0.184:30111"]
index => "init_service_record_access-%{+YYYY.MM.dd}"
}
}
if "acs_communication_event_record" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
ilm_rollover_alias => "acs_communication_event_record_access"
ilm_pattern => "000001"
ilm_policy => "5G-bs-ilm-policy"
}
elasticsearch {
hosts => ["10.0.0.184:30111"]
index => "acs_communication_event_record_access-%{+YYYY.MM.dd}"
}
}
if "acs_communication_heartbeat_record" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
ilm_rollover_alias => "acs_communication_heartbeat_record_access"
ilm_pattern => "000001"
ilm_policy => "5G-bs-ilm-policy"
}
elasticsearch {
hosts => ["10.0.0.184:30111"]
index => "acs_communication_heartbeat_record_access-%{+YYYY.MM.dd}"
}
}
if "acs_management_record" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
ilm_rollover_alias => "acs_management_record_access"
ilm_pattern => "000001"
ilm_policy => "5G-bs-ilm-policy"
}
elasticsearch {
hosts => ["10.0.0.184:30111"]
index => "acs_management_record_access-%{+YYYY.MM.dd}"
}
}
if "acs_management_security_record" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
ilm_rollover_alias => "acs_management_security_record"
ilm_pattern => "000001"
ilm_policy => "5G-bs-ilm-policy"
}
}
if "init_communication_south_record" in [tags] {
elasticsearch {
hosts => ["10.17.0.8:9200"]
ilm_rollover_alias => "init_communication_south_record"
ilm_pattern => "000001"
ilm_policy => "5G-bs-ilm-policy"
}
}
}
3、模版设置
1)自定义生命周期策略模版
PUT _ilm/policy/5G-bs-ilm-policy
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_age": "30d",
"max_size": "50gb"
},
"set_priority": {
"priority": 100
}
}
},
"warm": {
"actions": {}
},
"cold": {
"min_age": "60d",
"actions": {
"freeze": {}
}
},
"delete": {
"min_age": "90m",
"actions": {
"delete": {}
}
}
}
}
}
2)自定义索引模版
网元事件日志
索引:acs_communication_event_record_access
PUT _template/acs_communication_event_record_access?include_type_name
{
"order": 0,
"index_patterns": [
"acs_communication_event_record_access-*"
],
"settings": {
"index": {
"lifecycle": {
"name": "5G-bs-ilm-policy",
"rollover_alias": "acs_communication_event_record_access"
},
"max_result_window": "1000000",
"number_of_shards": "1",
"refresh_interval": "5s"
}
},
"aliases": {},
"mappings": {
"_doc": {
"_routing": {
"required": false
},
"numeric_detection": false,
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"_meta": {},
"_source": {
"excludes": [],
"includes": [],
"enabled": true
},
"dynamic": true,
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"date_detection": true,
"properties": {
"unix_ms_time": {
"type": "long"
},
"@timestamp": {
"type": "date"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"type": "keyword"
}
}
}
}
}
网元心跳日志
索引:acs_communication_heartbeat_record_access
PUT _template/acs_communication_heartbeat_record_access?include_type_name
{
"order": 0,
"index_patterns": [
"acs_communication_heartbeat_record_access-*"
],
"settings": {
"index": {
"lifecycle": {
"name": "5G-bs-ilm-policy",
"rollover_alias": "acs_communication_heartbeat_record_access"
},
"max_result_window": "1000000",
"number_of_shards": "1",
"refresh_interval": "5s"
}
},
"aliases": {},
"mappings": {
"_doc": {
"_meta": {},
"_source": {},
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"properties": {
"unix_ms_time": {
"type": "long"
},
"@timestamp": {
"type": "date"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"type": "keyword"
}
}
}
}
}
网管操作日志
索引:acs_management_record_access
PUT _template/acs_management_record_access?include_type_name
{
"order": 0,
"index_patterns": [
"acs_management_record_access-*"
],
"settings": {
"index": {
"lifecycle": {
"name": "5G-bs-ilm-policy",
"rollover_alias": "acs_management_record_access"
},
"max_result_window": "1000000",
"number_of_shards": "1",
"refresh_interval": "5s"
}
},
"aliases": {},
"mappings": {
"_doc": {
"_routing": {
"required": false
},
"numeric_detection": false,
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"_meta": {},
"_source": {
"excludes": [],
"includes": [],
"enabled": true
},
"dynamic": true,
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"date_detection": true,
"properties": {
"unix_ms_time": {
"type": "long"
},
"@timestamp": {
"type": "date"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"type": "keyword"
}
}
}
}
}
安全日志
索引:acs_management_security_record
PUT _template/acs_management_security_record?include_type_name
{
"order": 0,
"index_patterns": [
"acs_management_security_record-*"
],
"settings": {
"index": {
"lifecycle": {
"name": "5G-bs-ilm-policy",
"rollover_alias": "acs_management_security_record"
},
"max_result_window": "1000000",
"number_of_shards": "1",
"refresh_interval": "5s"
}
},
"aliases": {},
"mappings": {
"_doc": {
"_routing": {
"required": false
},
"numeric_detection": false,
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"_meta": {},
"_source": {
"excludes": [],
"includes": [],
"enabled": true
},
"dynamic": true,
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"date_detection": true,
"properties": {
"unix_ms_time": {
"type": "long"
},
"@timestamp": {
"type": "date"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"type": "keyword"
}
}
}
}
}
基础运行操作日志
索引:init_service_record_access
PUT _template/init_service_record_access?include_type_name
{
"order": 0,
"index_patterns": [
"init_service_record_access-*"
],
"settings": {
"index": {
"lifecycle": {
"name": "5G-bs-ilm-policy",
"rollover_alias": "init_service_record_access"
},
"max_result_window": "1000000",
"number_of_shards": "1",
"refresh_interval": "5s"
}
},
"aliases": {},
"mappings": {
"_doc": {
"_meta": {},
"_source": {},
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"properties": {
"unix_ms_time": {
"type": "long"
},
"@timestamp": {
"type": "date"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"type": "keyword"
}
}
}
}
}
系统运行日志
索引:service_run_access
PUT _template/service_run_access?include_type_name
{
"version": 60001,
"order": 0,
"index_patterns": [
"service_run_access-*"
],
"settings": {
"index": {
"lifecycle": {
"name": "5G-bs-ilm-policy",
"rollover_alias": "service_run_access"
},
"max_result_window": "1000000",
"number_of_shards": "1",
"refresh_interval": "5s"
}
},
"aliases": {},
"mappings": {
"_doc": {
"_meta": {},
"_source": {},
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"properties": {
"unix_ms_time": {
"type": "long"
},
"@timestamp": {
"type": "date"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"type": "keyword"
}
}
}
}
}
初始化南向接口日志
索引:init_communication_south_record
PUT _template/init_communication_south_record?include_type_name
{
"order": 0,
"index_patterns": [
"init_communication_south_record-*"
],
"settings": {
"index": {
"lifecycle": {
"name": "5G-bs-ilm-policy",
"rollover_alias": "init_communication_south_record"
},
"max_result_window": "1000000",
"number_of_shards": "1",
"refresh_interval": "5s"
}
},
"aliases": {},
"mappings": {
"_doc": {
"_routing": {
"required": false
},
"numeric_detection": false,
"dynamic_date_formats": [
"strict_date_optional_time",
"yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z"
],
"_meta": {},
"_source": {
"excludes": [],
"includes": [],
"enabled": true
},
"dynamic": true,
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"mapping": {
"norms": false,
"type": "text"
},
"match_mapping_type": "string"
}
},
{
"string_fields": {
"mapping": {
"norms": false,
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"match_mapping_type": "string",
"match": "*"
}
}
],
"date_detection": true,
"properties": {
"unix_ms_time": {
"type": "long"
},
"@timestamp": {
"type": "date"
},
"geoip": {
"dynamic": true,
"type": "object",
"properties": {
"ip": {
"type": "ip"
},
"latitude": {
"type": "half_float"
},
"location": {
"type": "geo_point"
},
"longitude": {
"type": "half_float"
}
}
},
"@version": {
"type": "keyword"
}
}
}
}
}
}
},
“aliases”: {},
“mappings”: {
“_doc”: {
“_routing”: {
“required”: false
},
“numeric_detection”: false,
“dynamic_date_formats”: [
“strict_date_optional_time”,
“yyyy/MM/dd HH:mm:ss Z||yyyy/MM/dd Z”
],
“_meta”: {},
“_source”: {
“excludes”: [],
“includes”: [],
“enabled”: true
},
“dynamic”: true,
“dynamic_templates”: [
{
“message_field”: {
“path_match”: “message”,
“mapping”: {
“norms”: false,
“type”: “text”
},
“match_mapping_type”: “string”
}
},
{
“string_fields”: {
“mapping”: {
“norms”: false,
“type”: “text”,
“fields”: {
“keyword”: {
“ignore_above”: 1024,
“type”: “keyword”
}
}
},
“match_mapping_type”: “string”,
“match”: “*”
}
}
],
“date_detection”: true,
“properties”: {
“unix_ms_time”: {
“type”: “long”
},
“@timestamp”: {
“type”: “date”
},
“geoip”: {
“dynamic”: true,
“type”: “object”,
“properties”: {
“ip”: {
“type”: “ip”
},
“latitude”: {
“type”: “half_float”
},
“location”: {
“type”: “geo_point”
},
“longitude”: {
“type”: “half_float”
}
}
},
“@version”: {
“type”: “keyword”
}
}
}
}
}